More wireless FUD, but no wireless flaw
 
Well, one day after Brian Krebs claimed that he witnessed the alleged MacBook wireless exploit performed against a MacBook’s built-in wireless card (see “Less wireless FUD”), it seems he was in fact duped (as were we). At this point however, it’s really hard to know for sure, as the FUD factor is once again increasing.
 
In his recent column, Mr. Krebs specifically stated that the researchers “exploited the Macbook without any third-party wireless card plugged in.” The implication being (and it seems Mr. Krebs actually believed) that the exploit could be executed against an unmodified MacBook. In an understated but clear posting yesterday on their site, however, the researchers say the MacBook “was exploited through a third-party wireless device driver - not the original wireless device driver that ships with the MacBook.”
 
That’s a pretty darn big difference! No one in their right mind would install a third-party driver for the wireless card built into the MacBook. It seems this installation was done by the researchers solely for Mr. Krebs’ “benefit.” Mr. Krebs just today posted an update to his reporting, pretty much confirming what we already know, but not really further clarifying things nor admitting to being duped at all. He seems to still be looking into the whole situation.
 
To add still more to the FUD, an Apple spokeswoman told Macworld “the SecureWorks demonstration used a third party USB 802.11 device–not the 802.11 hardware in the Mac.” She was probably, however, referring to the taped demonstration shown at Black Hat, not the live one witnessed by Mr. Krebs. At this point, who knows!
 
The good news is that, despite all the FUD, and even recent comments here, right now it looks like there is no intrinsic vulnerability with the MacBook or any other Mac when it comes to this wireless exploit. But stay tuned to be sure.
Friday, August 18, 2006